[Openswan Users] Openswan -> openswan two host behind NAT problem
Steve Kieu
msh.computing at gmail.com
Thu Sep 18 21:05:16 EDT 2008
Hello everyone,
I am trying to set the below config without success.
>From a64 <=> peace-dk
[169.173.0.0/24] a64 [169.173.0.64 ] => [169.173.0.1] adsl modem [
118.92.238.50] ========== [202.78.240.7] linux-fw [192.168.2.1] => [
192.168.2.252] peace-dk
I have configured the adsl modem to forward IKE trafic (udp 4500 and 500) to
a64 (169.173.0.64). But I did not do (do not want to) set it on linux-fw the
same way. I want the connection initiated from peace-dk and join
169.173.0.0/24 with 192.168.2.252/32. The exact setup work with racoon (in
a64 set passive on). Now I am trying to do it with openswan with following
config:
on a64
conn for-peace
left=169.173.0.64
#leftid=a64
leftnexthop=%defaultroute
authby=secret
type=tunnel
forceencaps=yes
leftsubnet=169.173.0.0/24
rightnexthop=202.78.240.7
right=192.168.2.252
rightsubnet=192.168.2.252/32
esp=blowfish-sha1
keyexchange=ike
auto=add
on peace-dk
conn home1
type=tunnel
forceencaps=yes
authby=secret
left=192.168.2.252
leftnexthop=%defaultroute
leftsubnet=192.168.2.252/32
rightnexthop=118.92.238.50
right=169.173.0.64
rightsubnet=169.173.0.0/24
esp=blowfish-sha1
auto=start
It does not work, seems the phase 1 get through but phase 2 is pending
root at peace:~# ipsec auto --status | grep home
000 "home1":
192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24;
erouted HOLD; eroute owner: #0
000 "home1": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
_updown;
000 "home1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "home1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface:
eth1; encap: udp;
000 "home1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "home1": IKE algorithms wanted:
BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5),
BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict
000 "home1": IKE algorithms found:
BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5),
BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict
000 "home1": ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict
000 "home1": ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict
000 #1: "home1":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 13s; nodpd
000 #1: pending Phase 2 for "home1" replacing #0
root at a64:~# ipsec auto --status|grep peace
000 "for-peace":
169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32;
unrouted; eroute owner: #0
000 "for-peace": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "for-peace": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "for-peace": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32;
interface: eth0; encap: udp;
000 "for-peace": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "for-peace": ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2);
flags=strict
000 "for-peace": ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2);
flags=strict
000 #1: "for-peace":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 29s; nodpd
000 #1: pending Phase 2 for "for-peace" replacing #0
Any idea what I did wrong? That is the only case I got trouble to setup
openswan, and racoon works, all other ; I can easily get openswan to work
without any problem at all (tested with winXP, and cisco PIX, other linux)
Thanks in advance,
Regards,
--
Steve Kieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080919/37cf3012/attachment.html
More information about the Users
mailing list